Security on Office 365

Office365, other SaaS email services and other Clouds in general can be more secure than having it on-premise, however security is also dependent on an important factor… you the end user. You can spend £1,000 on a physical high security certified safe and set the PIN as 00000 or put a Post-it note near it with the PIN on, and hey presto the high security product or service is greatly weakened by a human being.

The admin account

Go back ten years and usernames were not email addresses but a letter followed by a few random numbers. Now everything isfirstname.surname@domain.comor initialsurname as login. This has made password cracking, guessing or phishing easier.

The admin account should not be the Head of ITs general email address but something different so it cannot be cracked easily. I.e. do not set the admin account assam.smith@domain.combut rather something likess-admin@domain.comor more random to make it harder to guess.

Two factor authentication

Statistics say only about 10% or less of organisations use 2FA of any form. With emails being easily guessable as stated above, phishing or password cracking is a problem. Why? With on-premise a firewall at times restricted access to OWA (Outlook Web Access), not with Office365 by default.

Even on the entry level SaaS offering by Microsoft, 2FA is included which not everyone knows. It can authenticate by: SMS code, push on app or OTP code within the app. Start off by enabling 2FA for all admins, then have them test it for a week, and then slowly enforce it for all organisation users.

Consider ATP (Advanced Threat Protection)

Office365 inbuilt antimalware & antispam protection is decent however nothing is perfect of course. By default, links embedded in emails are only checked simply and files go through a few standard antimalware engines. More advanced and worse targeted attacks have a chance of getting through.

Office365 ATP RRP is £1.50 per user per month and is great value for its functionality. It has two core functions; firstly Auto sandbox files it cannot determine the intent of - it runs the file in a safe environment and delivers it if safe. Secondly, Re-codes each link so on click it is rescanned in the cloud.

Incoming phishing and spoofing organisations domain is a big problem. Many Office365 end users' mailboxes are sent decent looking phishing emails with links to copies of Office365 login pages - 2FA assists with this and SPF + DKIM makes it harder for outbound emails.

Setting up SPF is as simple as adding an additional TXT DNS record and enabling it within the Office365 portal. Additional IPs may need to be added dependant on the organisation outbound email sending methods. DKIM is setup by another TXT record and digitally signs outgoing emails.

Tweak all settings

Want totally free extra security? Just go through every security and non-security setting within the portal and enhance. You can buy the best product or service but if you leave the defaults on you are losing out on features. Take an IPS for instance, it has 1000s of rules but only 20% enabled as is.

Go through every 'sub-portal', read all the settings and if you do not understand a setting research it, and enable/disable. Three to consider, 1. File extension filtering to block known malicious files. 2. Strengthen anti phishing/spam for known targeted users. 3. Make ATP sandbox before delivery.

As a Microsoft Gold Learning Partner, QA offer the full Microsoft Official Curriculum alongside a QA Authored curriculum that can take you deeper in your knowledge of individual Office 365 products, deployments and best practice. The following courses can support with Security on Office 365:

Visitcyber.qa.comfor more information on how they can help solve the Cyber Security skills gap.

About the author

Graeme joined QA in 2017 and has worked in security on and off for 13 years. His last role was as a Senior Technical Security consultant at Capgemini covering public and private sector. From the age of 17 he was running investigations into online scams and phishing. Today his experience is in OSINT and thinking like a hacker to review + tweak settings with a fine tooth comb.